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ABSTRACT 

In wireless systems, neighbor discovery (ND) is a fundamen- 
tal building block: determining which devices are within di- 
rect radio communication is an enabler for networking proto- 
cols and a wide range of applications. To thwart abuse of ND 
and the resultant compromise of the dependent functionality 
of wireless systems, numerous works proposed solutions to 
secure ND. Nonetheless, until very recently, there has been 
no formal analysis of secure ND protocols. We close this 
gap in [24], but we concentrate primarily on the derivation 
of an impossibility result for a class of protocols. In this pa- 
per, we focus on reasoning about specific protocols. First, 
we contribute a number of extensions and refinements on the 
framework of [23]. As we are particularly concerned with the 
practicality of provably secure ND protocols, we investigate 
availability and redefine accordingly the ND specification, 
and also consider composability of ND with other protocols. 
Then, we propose and analyze two secure ND protocols: We 
revisit one of the protocols analyzed in [21], and introduce 
and prove correct a more elaborate challenge-response pro- 
tocol. 

Categories and Subject Descriptors 

C.2.0 [Computer-Communication Networks]: General — 
Security and protection 

General Terms 

Security 

Keywords 

wireless networks security, secure neighbor discovery, relay 
attack 

1. INTRODUCTION 

Wireless communication systems have been developed and 
deployed in increasing numbers and for diverse technologies, 
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enabling a broad spectrum of applications. Nonetheless, al- 
though emerging wireless networking and mobile computing 
technologies offer a new rich set of tools, they also open 
the door to new vulnerabilities, primarily because wireless 
communication makes eavesdropping and injection of mes- 
sages easy. Realizing that attacks against a wireless system 
can be perpetrated essentially anywhere and anytime, the 
research community devised a large volume of solutions to 
secure wireless networking protocols and applications. 

Among these efforts, the problem of securing neighbor dis- 
covery has received significant attention. Neighbor discovery 
(ND), that is, discovering that a wireless device (node) is di- 
rectly reachable without the assistance of any other device, 
is a fundamental element for practically any wireless sys- 
tem. As a result, an attack against ND, that is, misleading 
nodes into believing they are neighbors when they are not, 
does not merely introduce an artificial wireless communica- 
tion link between the victim (misled) nodes. It is a simple 
method to compromise and abuse the system functionality 
that builds on ND: It is sufficient for the adversary to sim- 
ply relay messages from one point to another in the network, 
and vice versa, without any message modification, to stage 
what is often termed a wormhole attack. 

The consequences of such attacks can vary and be dev- 
astating. Consider, for example, the neighbor discovery of 
an access point (AP) performed by a mobile host in a WiFi 
network that allows access to networked resources. A re- 
lay attack may appear at first benign, or even helpful, as it 
essentially extends the AP range. However, it offers the ad- 
versary the opportunity to intercept and fully control com- 
munications of mobile hosts that cannot reach the AP but 
are 'attracted' to do so over the wormhole setup by the at- 
tacker. Similarly, for multi-hop wireless communication: In 
a wireless sensor network, nodes are likely to send their mea- 
surements to the sink over a path that includes a wormhole. 
In a different setting, a relay attack can be the most effec- 
tive pick-pocket or lock-picking mechanism: The adversary 
approaches a victim user, carrying a radio frequency identifi- 
cation (RFID) tag for payments or for opening a car, garage, 
or office building door, she then relays communication be- 
tween the RFID tag reader and the victim's tag, when the 
user is far from the RFID reader, and she gets a money 
charge through or physically accesses the building. 

The basic approach against such relay attacks has been 
to protect the pair-wise execution of ND protocols with the 
help of various forms of distance bounding (DB) [3 1151 [H]: 
A node estimates its distance to another node by measuring 
the signal time-of- flight (ToF) to and/or from that node; if 



and only if the estimate is below a threshold, it declares it 
a neighbor. In spite of numerous schemes that are built on 
this approach, surveyed in Sec. |B] there has been no proof 
that secure ND is indeed achieved. This gap was brought 
forth very recently. [21] first argued informally that the 
existing proposals left the problem largely open and pointed 
out a common misconception in the notion of ND. Then, 
[24j established that, indeed, even for the most basic form 
of ND, what we term two-party ND, it is impossible for a 
large class of protocols that rely on time measurements to 
secure ND. 

More important than the impossibility result per se, this 
highlights the need to prove the properties of security proto- 
cols. Developments over many years are not a substitute for 
rigorous reasoning on the protocol properties. In fact, a false 
feeling of trustworthy technology can lead to the deployment 
of solutions (algorithms, protocols) that were never proven 
secure. The subsequent discovery of attacks exploiting core 
design flaws rather than implementation glitches could only 
be a natural aftermath. The second important message that 
one can extract from [24] is the need to carefully take into 
consideration the idiosyncracies of the particular environ- 
ment of the system to be secured. The basic observation be- 
hind the impossibility result is otherwise seemingly straight- 
forward: Obstacles or interference can prevent nearby nodes 
from communicating directly, thus allowing the attacker to 
remain undetected while misleading two near-by nodes into 
believing they are neighbors (when they are not, precisely 
because of such obstructions). 

An impossibility result, although it provides important in- 
sight into the problem at hand, does not provide solutions. 
Another crucial question is proving the security of specific 
ND protocols (under assumptions lifting the impossibility 
result, obviously). We make a first step in this direction 
in [24] , proving correctness of a simple ND protocol. In this 
paper, we continue on this path. We refine and extend the 
framework of [2j (Sec.[2ll, providing a precise mathematical 
model of a wireless network and the adversary. These refine- 
ments and extensions bring our framework closer to the real 
world, in terms of reasoning on protocol correctness, and 
enable us to define the more elaborate challenge-response 
(CR) ND protocols we introduce in this paper (Sec. 13. 2|) . 
We revisit one of the beacon (B) protocols considered in 
[24j . and investigate additional protocols in our technical 
report [25]. Furthermore, we propose more practical avail- 
ability properties (Sec. I3.1|l than those geared towards and 
sufficient for the quest for the impossibility result. Clearly, a 
secure ND protocol concluding its execution correctly only 
'once in a lifetime' satisfies the specification in [21] but it 
is not practical. In terms of further approaching practical 
instantiations, we also consider composability: We aim at 
results which hold when the secure ND protocols are used 
along with other protocols. All these elements lead to a 
precise problem specification, thus enabling us to develop 
proofs for secure ND protocols (Sec.|4ll. Before we conclude, 
we provide a discussion on the framework and the analysis 
performed in this paper, identify open problems (Sec. [5}, 
and survey related work (Sec. |B]). 

2. SYSTEM MODEL 

We are interested in modeling a wireless network: Its ba- 
sic entities, nodes, are processes running on computational 
platforms equipped with transceivers communicating over a 



wireless channel. We assume that nodes have synchronized 
clocks (although not all protocols we consider in this paper 
make use of this assumption) and are static (not mobile). 
Nodes either follow the implemented system functionality, 
in which case we denote them as correct, or they are under 
the control of an adversary, in which case we denote them as 
adversarial nodes. Adversarial nodes can behave in an arbi- 
trary fashion, also acting as correct nodes or lying dormant 
for any period of time. 

We model communication at the physical layer rather than 
at higher layers (data link, network, or application), in or- 
der to capture the inherent characteristics of ND in wireless 
networks. For simplicity, correct nodes are assumed to use 
a single wireless channel and omnidirectional antennas, but 
we do not require them to have equal transmission power 
and receiver sensitivity. On the contrary, adversarial nodes 
use directional antennas to communicate across the wireless 
channel used by correct nodes, but they can also communi- 
cate across a dedicated adversary channel imperceptible to 
correct nodes. 

Our system model comprises: (i) a setting S that describes 
the type (correct or adversarial) of nodes, their location and 
the state of the wireless channel; (ii) a protocol model V 
that determines the behavior of correct nodes; (iii) an adver- 
sary model A that determines the capabilities of adversarial 
nodes. 

We assume that looking at the system at any point in 
time reveals one or more phenomena. We are interested in 
those relevant to the wireless communication and the sys- 
tem at hand and thus to our analysis. We denote these phe- 
nomena, associated with nodes, as events (Def. |3]|. Then, 
we model the system evolution over time using the notion 
of trace, i.e., a set of events (Def. [JJl. More precisely, we 
use feasible traces, which satisfy constraints specified by S 
(correspondence between wireless sending and receiving of 
messages), V (correct nodes follow the protocol), and A (ad- 
versarial nodes behave according to their capabilities). The 
constraints are defined by logical formulas we call rules. 

2.1 System Parameters 

Our model includes a number of parameters, listed below, 
which are determined by the technologies used by correct 
and adversarial nodes. 

• V G R>o, the signal propagation speed, defining how 
fast messages propagate across the wireless channel, 
determined by the communication technology, 

• Vadv ^ V, the information propagation speed over the 
adversary channel; as v^dv ^ v this is also the maxi- 
mum speed at which information can propagate, 

• A C 2* , the set of antenna patterns that adversarial 
nodes can utilize with their directional antennas, 

• Aroiay £ R, the minimum relaying delay introduced by 
a node when relaying a message; this delay is due to 
processing exclusively, it does not include propagation 
time or any other delay. 

Further, V denotes the set of unique node identifiers, which 
for simplicity we will consider equivalent with the nodes 
themselves |j 

^Although this implies that every node is assigned a single 
identifier, it does not prevent an adversarial node from using 
(in the messages in sends) any identifier. 



2.2 Settings 

A setting describes the type and location of nodes, and 
how the state of the wireless channel changes over time. 

Definition 1. A setting S is a tuple {V,loc, type, link, nlos) , 
where: 

• V CY is a finite set of nodes. An ordered pair {A, B) £ 

is called a link. 

• loc : V ^ is the node location function. As we 
assume nodes are not mobile, this function does not de- 
pend on time. We define dist : R^o o,s 
dist{A, B) = d{loc{A), loc{B)), where d is the Euclidean 
distance in M.^ . We require the loc function to be m- 
jective, so that no two nodes share the same location. 
Thus, dist(A, B) >0 for A^ B. 

• type : V — » {correct, adversarial} is the type func- 
tion; it defines which nodes are correct and which are 
adversarial. This function does not depend on time, 
as we assume that the adversary does not corrupt new 
nodes during the system execution. We denote Vcor ~ 
type^^ {{correct}) and I4dv ~ type^^ {{adversarial}). 

• link : X R^o down} is the link state func- 
tion. Accordingly, we say that at a given time t J5 
0, a link {A, B) G V'^ is up (denoted t::A^B) or 
down ( denoted t :: A-^B ). We use abbreviations t :: A*-> 
B =def t::A—>B A t::B^A andtwA^B =dcf 
t-.-.A^B A t::B^A. We extend the "t::A^B" 
notation from single time points to sets as follows: 
T:: A^B ^i^t \ft e T. tv.A^B. We establish the 
convention R^o :: A^A. 

• nlos : — > R^o is the non-line-of-sight delay (NLOS) 
function. If two nodes A and B can communicate 
over a line of sight, then nlos{A,B) = 0. Otherwise, 
nlos{A, B) specifies the additional distance that the sig- 
nal has to propagate compared to line-of-sight propaga- 
tion dist{A, B). We assume this function is symmet- 
ric, because of reciprocity of wireless links. 

We denote the set of all settings by E. 

The ability to communicate directly, without the inter- 
vention or 'assistance' of relays, is expressed in our model 
by a link being up, thus the following definition: 

Definition 2. Node ^4 is a neighbor of node B in setting 
S at time t, if t:: A^B . If t:: A^B we will say that nodes 
A and B are neighbors at time t. 

For simplicity in presentation, we use "t :: A—>B" to denote 
the neighbor relation and the link relation. 

2.3 Message Space 

The denote the set of all messages as M. Any of the 
following is a message: 

• an identifier A £Y, 

• a timestamp t £ R^o, 

• a location Z £ R"^, 

• a nonce n £ Nonces. 



Moreover, two messages mi , m2 can be concatenated to 
form a message (mi, 7712). Furthermore, an authenticator 
authA(m), where A £ Y and m £ M, is also a messageQ 
Hence, messages are essentially terms, with the subterm re- 
lation is denoted by C. 

Every message m has a duration |m| £ R^o, which de- 
termines the transmission delay {not including the propa- 
gation delay), reflecting the bit-rate of the underlying com- 
munication technology. We assume that message duration 
is preserved by concatenation, but not by an authentica- 
tor. For m — (mi, m2, . . . , mfe), the duration is |m| = 
|mij + |m2| + . . . -f |mfe| and the position of rui in m is 
pos{mi C m) = |mi| -I- . . . -|- |mi_i|, with pos{m\ C m) = 0; 
in the case of multiple occurrences of m' C m, pos{m' □ m) 
gives the position of the first occurrence. When we use the 
duration function for any concatenated message, we omit 
the brackets: \m\,m2, . . . , mfc|. Finally, we assume that the 
duration of identifiers, timestamps, locations, nonces and 
authenticators in M is upper-bounded by some constant. 

2.4 Events and Traces 

We use the notion of trace to model an execution of the 
system. A trace is composed of events. We model events re- 
lated to the wireless communication and the ND protocols 
operation. Each event is primarily associated with (essen- 
tially, takes place at) a node we call the active node. 

Definition 3. An event is one of the following terms: 

• Receive(A;t;m) • He\g\\hor{A;t;B,C,t') 

• Bcsst{A;t;m) • NDstart(yl; t) 

• Dcast(yl;t;a;m) • NDstart(yl; B) 

• Fresh(yl; f; n) 

where A £Y is the active node, t £ R^o the event start 
time, denoted by start{.), and m £ M, n £ Nonces, a £ A, 

B,C £ V, £ R^o. 

Assuming that mi C m2, we use Bcast(y4; t; mi C m2) to 
denote the event Bcast{A; t — pos {mi C rn2);m2); likewise 
for Dcast and Receive. 

The first three events are related to communication on 
the physical layer. Receive represents message reception. 
Beast represents sending a message with an omnidirectional 
antenna. Dcast represents sending a message with a direc- 
tional antenna using a pattern a £ A. The pattern a is 
a subset of R"^ indicating which nodes receive the message, 
assuming the sending node A is located at (0, 0, 0). We use 
the notation B £ (y.{A), meaning that loc{B) — loc{A) £ a. 
The set of allowable antenna patterns. A, depends on the 
antenna used by the adversarial nodes. We do not dwell on 
the details of the structure of A, except for one requirement: 
R^ £ A; this is to ensure that adversarial nodes can use their 
antenna in an omnidirectional fashion. 

Fresh is used to declare that nonce n is (freshly) generated 
by A at time t or, in other words, that it was not sent be- 
fore t. The remaining three events are specific to neighbor 
discovery protocols. Neighbor can be thought of as an in- 
ternal outcome of a ND protocol (possibly reported to some 

^The auth term represents an asymmetric authenticator, 
such as a digital signature. 



higher layer): Node A declares that B is a neighbor of C 
at time t' . Having t' a single point in time is for simplicity 
only, and we could easily generalize to arbitrary sets. With 
NDstart, node A declares that an instance of a ND protocol 
has been initialized; either with a specific node B or with 
all neighbors. Next, traces comprising the above events are 
defined. 

Definition 4. A trace is a set of events that satisfies 
what we call the finite cut condition; for any finite t ^ 0, 
the subset {e £ 6 \ start{e) < t} is finite. 

The finite cut condition ensures that, during a finite amount 
of time, only a finite number of events occurs; as settings 
comprise a finite number of nodes, this is natural to demand. 

We denote the set of all traces by O, and Qs.v,A the set 
of traces feasible with respect to a setting 5, a protocol V 
and an adversary A. 

2.5 Setting-Feasible Traces 

The feasibility of a trace with respect to a setting 5 — 
{V, loc, type, Imk, nlos) ensures a causal and strict time re- 
lation between send and receive events; it is formally de- 
fined by rules Si - S4 (Fig. [T]). Rule Si ensures that ev- 
ery message that is received was previously sent. Dually, 
rules S2 and S3 ensure that a message broadcasted or sent 
with a directional antenna is received by all nodes enabled 
to do so by the link relation and, in the latter case, the 
antenna pattern used. In other words, communication is 
causal (a receive is always preceded by a sent), and reliable 
as long as the link is up. Unreliability, expected and com- 
mon in wireless communications, is modeled by the state of 
the link being down. Furthermore, these rules introduce a 
strict time relation between events, refiecting the propaga- 
tion delay from A to B, across the channel, with speed v: 
{dist{A, B) + nlos{A, B))-v^^ . Rule S4 is a technical one: 
It ensures that no communication events are performed by 
nodes not present in setting S, and that Beast and Dcast 
events are used exclusively by correct and adversarial nodes, 
respectively. Note that this is not a restriction of the adver- 
sary: Bcast{A; t;m) can be emulated (i.e., trigger exactly 
the same Receive events) by Dcast(y4; f; R'^; m). 

2.6 Protocol-Feasible Traces 

Intuitively, a trace is feasible with respect to protocol V 
if correct nodes behave according to V. Therefore the rules 
that specify this type of feasibility are protocol-dependent 
and are defined in Sec. 13.21 However, there is one general 
rule that dictates the behavior of correct nodes with respect 
to nonces. Rule Fl (Fig. [T| guarantees that if a nonce n 
is freshly generated at time t (i) the node that generated n 
will not broadcast it before t, (ii) any other correct node who 
broadcasts a message containing nonce n must have receive 
it (possibly in a different message) at least Areiay before 
broadcasting; this time difference is measured with respect 
to the positions of the nonce in the respective messages. 

2.7 Adversary-Feasible Traces 

We consider a single adversary model denoted by A. Intu- 
itively, adversarial nodes are allowed to send arbitrary mes- 
sages, except for messages which would violate properties of 
authenticators or freshness. 

A trace 6 is feasible with respect to A if rules Al - a2 
(Fig. [TJ are satisfied. Rule Al deals with authenticators: An 



adversarial node is allowed to send a message containing ar- 
bitrary authenticators, as long as they are generated by an 
adversarial node (itself or other). This implies that adversar- 
ial nodes can share cryptographic keys or any material used 
for authentication. Furthermore, rule Al reflects that the 
adversary cannot forge authenticated messages: Any mes- 
sage sent by an adversarial node that contains an authen- 
ticator generated by a correct node must be a relayed one. 
In other words, some (possibly the same) adversarial node 
must have received a message containing this authenticator 
earlier, at least Aroiay plus the propagation delay between 
the two nodes over the adversarial channel. This condi- 
tion reflects the structure of the adversarial channel: Any 
two adversarial nodes can establish direct communication. 
Rule a2 is similar to Al, but it is responsible for freshness: 
An adversary sending a message with a nonce generated by 
a correct can only be relaying the message (nonce). In this 
sense rule a2 is an adversarial equivalent of rule Fl. 

3. ND SPECIFICATION AND PROTOCOLS 

In this section, we propose four types of ND protocols and 
their corresponding specifications. Due to limited space, we 
investigate in detail only two types; more can be found in 
our technical report We distinguish between (i) beacon- 
based protocols {B -protocols) , represented by V^^'^ , which 
require the transmission of one message by one of the pro- 
tocol participants and synchronized clock for both partic- 
ipating nodes, and (ii) challenge-response protocols [CR- 
protocols), represented by 'p'-'^^^^^ which require a transmis- 
sion of messages by both participants but no synchronized 
clocks. Within and across these categories, we distinguish 
protocols, as in [24] , according to their capability to perform 
time measurements (T-protocols) or time measurements and 
location awareness (TL-protocols). 

3.1 ND Properties 

We consider two classes of properties ND protocols should 
satisfy. The first class pertains to correctness and consists 
of a single property, NDl (Fig. [2]): If two correct nodefl are 
declared neighbors at some time, then they must indeed be 
neighbors at that time. More precisely, there are two cases: 
(i) Node A can declare that B is its neighbor (i.e., A can 
receive messages from B) or (ii) A can declare that it is a 
neighbor of C (i.e., C can receive messages from A). In the 
latter case, property NDl requires link {C,A) to be up at 
not exactly time t' , but rather dist{A,C) + nlos{A,C))'v~^ 
(propagation delay) after t' . As our model mandates that 
the link state is determined at the receiving end (node), if A 
declares that it is a neighbor of C at time t' , a message sent 
by yl at t would be indeed received by C. In other words, 
A is not forced to estimate the propagation delay to make a 
correct neighbor statement. 

The second class of properties pertains to availability: If 
two nodes are neighbors for a long enough, protocol-specific 
time T-p, the protocol must declare them neighbors. In the 
case of T-protocols, an additional notion needs to be intro- 
duced to formulate satisfiable availability properties: neigh- 
bor discovery (ND) range, R G K>o. Typically, R is equal 
to the nominal communication range for a given wireless 
medium and transceiver technology, however, we use R more 

■^The requirement that B and C be correct is explained in 
the Sec. El 
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Figure 1: Setting-, adversary- and common protocol-feasibility rules 
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Figure 2: Selected ND properties. 



freely as the communication rang43 for which ND inferences 
are drawn. In other words, nodes at a communication range 
larger than R will not be required to declare each other 
neighbor. 

Fig.[2]displays two example ND2 properties for two types of 
protocols we consider: B/T-protocols and CR/TL-protocols. 
These two properties differ in four aspects, one depending 
on whether the protocol is T or TL, whereas the other three 
aspects depending on the protocol is beacon or challenge- 
response. The first aspect is the NDstart event: For CR- 
protocols, a particular neighbor B with which ND is started 
is specified, whereas no such specification is necessary for 
B-protocols. Second, it may be required that link {A, B) 
be up in only one direction (B-protocols) or both directions 
(CR-protocols). Third, for T-protocols an upper-bound on 
propagation distance in enforced {dist{A, B) -|- nlos{A, B) ^ 
R), whereas for TL-protocols line-of-sight propagation is re- 
quired {nlos{A, B) = 0). Forth, different forms of neigh- 
bor declaration are possible. The node making the declara- 
tion might be the same as (CR-protocols) or difi'erent (B- 
protocols) from the one initiating the ND protocol. More- 
over the declaration might be uni-directional (B-protocols) 
or bi-directional (CR-protocols). Based on these differences, 
we can derive two additional ND2 properties ND2^/^'" and 
N 02^''''"^ (detailed in :25,). 

3.2 ND Protocols 

Fundamentally, beyond authentication mechanisms, all the 
ND protocols we consider measure the signal time-of-fiight 
(ToF) between two nodes: B-protocols, with tightly syn- 
chronized clocks, are able to estimate ToF by transmitting 

*By "communication range" we understand the actual dis- 
tance plus NLOS effects. 



a single beacon message, whereas CR-protocols require two 
messages, a challenge and a response, for the same purpose. 
T-protocols accept neighbor relations as valid if the ToF dis- 
tance is below a threshold, as in [15], whereas TL-protocols 
require this distance to be equal to the geographical distance 
calculated based on nodes locations, as proposed in |24) . 

To make the presentation more approachable, we present 
the protocols in the form of pseudo-code, based on which we 
present the rules we developed to define the protocols. The 
pseudo-code is divided into blocks starting with a triggering 
event (on clause). If the triggering event occurs, the body 
of the block is executed, i.e., other events take place. 

We start with a simple B/T-protocol we denote V^^^, 
which is essentially the temporal packet leash protocol pro- 
posed by Hu, Perrig and Johnson in |15) . 

1: on NDstart(4;ti) 
2: Bcast(A;ti; (A,ti,authA(ti))) 

3: on Rece\\/e{B;t2; {A,ti, authA{ti)}) 
4: if t2 - ti 5? Rv"^ 

5: Neighbor(B;t2 + \ A,ti, authA{ti)\; A, B ,t2) 

Block 1-2 describes the behavior after the ND protocol 
is started at node A (e.g., by a higher layer protocol); Pi 
and p2 (Fig. [3]) are the two rules that correspond to this 
block. Block 3-5 describes the behavior of a node after it 
receives a beacon message, and it is modeled by rules P3 
and p4. Rule Pi is straightforward: if ensures that if the 
triggering event of block 1-2, NDstart(j4; ti), occurs in the 
trace, the event in the body of the block also occur. In 
the same fashion, rule P3 is defined for block 3-5, with an 
additional condition coming from the if clause. 

These two rules are already sufficient to prove the ND2 
property, but in a way, they only define half of aspects of 



the the protocol functionahty. Indeed, nothing prevents at 
this point a node running this protocol from making arbi- 
trary neighbor declarations. Rule P4 addresses this, stating 
that if a node makes a neighbor declaration, this has to be 
done according to block 3-5, i.e., the node had to receive a 
"fresh enough" beacon message. Only one aspect remains: 
Correct nodes are still allowed to broadcast arbitrary mes- 
sages, including bogus beacon messages. This is addressed 
by rule P2. To motivate the definition of P2, let us consider 
an alternative rule would still be coherent with the pseudo- 
code: If a correct node broadcasts a message at time ti , this 
message is {A,ti,authA{ti)). We can prove that such a de- 
fined protocol satisfies the ND specification. However, this 
is a weak result, precisely because that rule states that cor- 
rect nodes cannot send any other messages than beacons. 
If the ND protocol were used along with or by any other 
protocol, obviously using other forms of messages, the re- 
sult would no longer apply. To circumvent this undesired 
composability restriction, rule P2 is defined as follows. It 
only requires that if a correct node broadcasts at ti a mes- 
sage m of a particular form, i.e., containing auth_B(f) as a 
subterm, then m — (A, ti, authyi(ti)). Hence, rule P2 gives 
a much less restrictive condition on protocols that can be 
securely composed with P^''^: basically, it mandates that 
any other protocol does not use authenticated timestamps 
of this form0 Rule P4, in terms of composability, implies 
that the node cannot run any other ND protocol (i.e., a pro- 
tocol making neighbor declarations), but we do not see this 
as a real restriction. 

Next, we describe P^r/tl^ CR/TL-protocol. This pro- 
tocol has a practical design twist: As authentication of a 
message can be time-consuming process, in this protocol we 
remove it from the time-critical ToF estimation phase. Oth- 
erwise, if the response needs too much time to be calcu- 
lated, the clock of the challenging node can drift beyond an 
acceptable accuracy level. A protocol parameter A G M^o 
determines exactly how long after the challenge reception a 
node replies. 

01: on NDstart(yl;ti;B) 
02: Fresh(^;ti 4- 
03: Bcast{A;ti;{B,ni)) 

04: on Receive(B;t; {B,ni)) 
05: Fresh{B;t + A;n2) 
06: Bcast(B;t + A; (n2>) 
07: let r > A 

08: Bcast(B; t + r; {loc{B), auths(ni, ?i2, loc{B)))) 

09: on Rece\\/e{A;t; {l,authB{ni,n2,l))) 

10: if occurred fresh{A;ti + |-B|;ni) 

11: if occurred Bcast{A;ti; {B,ni)) 

12: if occurred Receive (A; t2; (712)) 

13: if ^r{t2 - ti - A) = 2d{loc{A),l) 

14: Neighbor(yl; t -I- \l, authB{ni,n2,l)\; A, B,ti) 

15: Neighbor(yl;t-f jz, auths(ni, 712, /)|; B, A, t2) 

Note that we assume that a node keeps track of all the 
events it observes, and it can always refer to this 'history,' as 
in 10-12. Note also that there is no explicit block responsible 
for receiving the (712) response sent by B in 06, because 
in this case node A does not take any action other than 



^If this would pose a problem, the protocol can be modified, 
by e.g., authenticating a timestamp concatenated with some 
constant in place of simple the timestamp. 



recording the event occurrence, for later reference in line 11. 

Considering again that "triggering event implies block body 
events," rule Pi is defined for block 01-03, P2 for block 04-08, 
and p4 for block 09-15. We do not define rules that restrict 
the occurrence of Fresh events (in lines 02 and 05) or the 
form of broadcasted messages (in lines 03 and 06), so that 
there is no obstacle for composability. For line 08, rule p3 
is defined: If a node broadcasts a message m containing a 
authenticator of the form auth_B(ni, n2, Z), then m precisely 
the message defined in line 08, and all the other events from 
block 04-08 occur. Finally, rule p5 is defined based on block 
09-15. There is only one rule, despite two Neighbor events in 
lines 14 and 15, because both events match the universally 
quantified Neighbor event in p5; The rule uses a disjunction, 
as there are (small) timing differences in the node behavior 
depending on which of these two event is considered. 

4. PROOFS 

In this section we prove that two of the protocols we pre- 
sented in the previous section satisfy the NDl and ND2 prop- 
erties. Before we proceed, we present two simple lemmas 
which facilitate subsequent proofs. Lem. [T] deals with au- 
thenticators and is an extension of rule Al, whereas Lem. [2] 
deals with freshness, extending S2 and Fl. The proofs of 
these lemmas are similar, hence we only present the former. 

Lemma 1. Rule Ll (Fig.^ holds for every trace 6 feasible 
with respect to the adversary model A and some setting S. 

Proof. The 1st disjunct {B e Kdv) follows immedi- 
ately from Al, so we assume that B £ Vcor and focus on 
the 2nd disjunct, which we prove by contradiction: Fix 
m = auth_B('Tio). Assume that Dcast{A\t;a\m C mi) £ 9, 
but Bcast(C;t';m C 7712) ^ 6, for any correct C, t' ^ 
t — Arciay — dist{C, A)-v~^^ and 7712 st. 777 C 777,2 (*). 

We use the following reasoning: Apply Al to obtain 
Receive(-D;i — 5; 777 C ma) G 9), where D £ Vadv and 6 > 
Arciay + dist{D , A)v^^ . Ncxt, apply Si to get 
Dcast{E-t-S~{dist{E,D)-nlos{E,D))\r~^-a'-m C ms) £ 
9; the Beast disjunct of Si is ruled out by S4, assump- 
tion (★) and Vadv ^ V, as dist{D , A)\2dv + {dist{E,D) + 
nlos{E, D))v~^ ^ dist{E, A)v~J^^. This reasoning can be re- 
peated ad infinitum, leading to an infinite number of Dcast 
events in 9 with start time below t. This is a contradiction 
with the finite cut condition (Def. Hence, 
Beast (C; t';mC. m2) £ 9 for some correct C, t' ^ t — Aroiay — 
dist{C , A)yr2^^ and m2 st. m C m2. □ 

Lemma 2. Rule l2 (Fig.^^ holds for every trace 9 feasible 
with respect to the adversary model A, some setting S and 
rule Fl. 

Theorem 1. // T^b/t = sup{|^,t,authA(i)| | A £ V, 
t £ R^o} + Rv"^ and Arday > Rv"^ protocol V'^^'^ sat- 
isfies NDl and ND2^^^ . 

Proof. First, we prove NDl (Fig.[2ll. Consider a setting S 
and a trace 9 £ O^ ^b/t _^ such that Neighbor(i3; t; A, C, t2) £ 
9 for A,B,C £ VcoT- As B is correct, apply P4 to get 
C — B and Rece]ye{A;t2; {A,t,i authA{ti)}) £ 9, where t = 
t2 + \A,ti,authA{ti)\ and t2 ^ ti + Rv"^ (★). We need to 
show that t2 :: A-^B. 

Apply Si to get [t2,t2 + \A,ti,authA{ti)\].: D ^ B and 
either: 



P'^/"^ Pi G Kor,*! e R^o- NDstart(^;ii) G 6* => Bcast{A;ti; {A,ti,authA{ti))) & 

p2 \fAeVcoi,BeY,ti,t£R^o,meM. auths(t)CIm A Bcast{A;ti-m) £ 6 => m = (A, ti , authA(ti)> 
p3 VB e Kor, a G V,ti,t2 G %o- Receive(B;i2; (A,ti,authA(ti)>) G 61 A fa-ti^Rv"^ 

=> Neighbor(^;t2 + \ A,ti,authA{ti)\; A, B ,t2) G S 
p4 VB G Kor, A,C G V,t2,t G R;50. Ne\ghhor{B;t;A,C,t2)ee=^C = B 

ABtiGK^o- Receive(_B;t2; (A,ti,authA(ti)>) G e A t2 - ti < Rv"^ A t ^ t2 + \A,ti,authA{ti)\ 
pCR/TL p-^ G Kor,S G V,ti G R^o. NDstart(yl;fi;B) G 6* 3ni G Nonces. 

Fresh(^;fi + |_B|;ni) G e A Bcast(yl; ti; (B, G 6 
p2 \/B G Vcor,t G Rs^o,"! G Nonces. Receive(B;f; {B,ni)) G 6 ^> 3n2 G Nonces, r > A. 

Fresh(B;t + A; 712) G 61 A Bcast(B; t + A; (712)) G 6^ A Bcast(B; t + r; {;oc(B), authi3(?ii , 712, ioc(B)))) G 
p3 VB G Kor,C G V,t G R^o,ni, 712 G Nonces, i G R''^,m G M. authcini,n2,l) Q m A Bcast(i3; m) G 61 = 
3r > 0. 711 = (/oc(B), authB(7ii, 712, ^oc(B))) A Receive(B; f — t — A; (B, 711)) G S 
A Fresh(B; t - r; 112) G 61 A Bcast(B; t - t; (?i2>) G 6 
P4 G Vcor,B G V, 711, 712 G Nonces, ti,t2,t G R^o,/ G R^ 

Receive(^;t; {Z,auths(ni, 712, 0>) G 61 A Fresh(4; fi + |-B|; m) G 61 A Bcast(yl; ti; (B, 711)) G 6* 
A Receive(A;t2; (712}) G A v(t2 - ti - A) = 2d{loc{A),l) ^ 

Neighbor(yl;t + |Z, authB(ni, 712, Z)|; ^, B, ti) G6' A Neighbor(A; t + \l, authB(ni,n2,l)\; B, A,t2) €0 
p5 G Kor,B,C G V,t,to G R^o- Neighbor(^; t;B,C, to) G 6) ^ 

(C = A A 3711,712 G Nonces, ti G R^o,' e R^- Fresh(A; ti + |B|; 711) G 61 A Bcast(4;fi; (B,7ii)) G 61 

A Receive(j4; to; (712)) £ 6 A Receive(yl;f — |/, authfl(7ii, 712, Z) |; auths(7ii, 712, Z))) G 6 

A v(to - ti - A) = 2d{loc(A), I)) V 

{B = A A 3711,712 G Nonces, t2 G R^o,' G R^. Fresh(4; to + |C|; iii) G 61 A Bcast(4; to; (C, iii)) G 61 
A Receive(A; t2; (112)) £ 6 A Receive(yl; t — \l, authc(7ii , 712, Z)|; {I, authc(7ii, 712, Z))) G 6 
A v(t2 - to - A) = 2d{loc{A),l)) 

Figure 3: Rules defining selected ND protocols. 

Ll G Kdv,B G 1^, t G R^o,i'i,i'io,7iii G M, a G A. m = authB(7no) C ttii A Dcast(yl; t; a; m C mi) G 6* 

(B G Kdv) V (3(7 G Vcor,5 ^ Arclay + (ijst(C,^)vJ^,7n2 G M. 771 C 7712 A BcaSt (C; t - 5; 711 C 7112 ) G 61) 

l2 Vyl G ycor,B G V, ti,t2 G R^o,Q G A,71 G Nonces,m G M. A B A n^m A Fresh(A; ti; n) G 61 
A (Bcast(B;t2;ii C m) G 61 V Dcast(B;t2; Q;; 11 TH) G 0^ 'r- t2 tl + dist(^A^ -^)^adv ^rclay 

Figure 4: Rules for Lemmas. 



(a) Bcast(B»;t2 - <5i; (A, ti, authA(ti))) G 6* V 

(b) Dcast(B;t2 - (5i;a; (A, ti , authA(ti))) G 9. 

where 5i = {dist{D,B) + nlos{D, B))v~^ . Consider case 
(a). From S4 we get D G Kor and then from P2 B> = yl. 
Thus t2 :: A—>B, as desired. 

Consider (b). Let r = pos(authA(ti) C (^,ti, authA(ti))). 
Apply Ll, to obtain for some S2 > A^ciay and m st. 
authA(ti) C 711 that Bcast(B;t2 + r — 5i — ^2; authA(ti) C 
m) G d. Refer to P2 to get B = A, m = (4,ti, authA(ti)) 
and ti = t2 — 5i — ^2 < t2 — Aroiay ^ t2 — Rv^^. From the 
latter derive t2 > ti + Rv^^. This is a contradiction with 
(★), thus (b) cannot be true. Consequently, (a) is the only 
valid option, and NDl is satisfied. 

Second, we prove ND2^''^(Fig. Consider a setting 5, 
where nodes A, B G Kor, dist{A,B) + nlos{A,B) < R 
and [ti,ti + TpB/r] :: j4 B. Next, take any trace 9 G 
©5 pB/T _4 such that NDstart(yl; ti) G 9. We need to show 
that Neighbor(B; t'; A, B,t") for some t' > ti and t" G 
[ti, ti + TpB/r]. 

Start by applying Pi to 9 to obtain 
Bcast(yl;ti; (yl, ti, authA(ti))) G 9. As link {A,B) is up for a 
sufficiently long time, S2 implies 

Receive(B; t2; {A,ti, authA(ti))), where t2 — ti + {dist{A, B) + 
nlos{A, B))v^^ . As t2 — ti < Rv^^, p3 implies 
Neighbor(B;t2 + |A, ti, authA(ti)|; ^, B, t2). Obviously, t' = 
t2 + |^,ti,authA(ti)| ^ ti and t" = t2 G [ti,ti + T^b/t], 
which completes the proof. □ 



Theorem 2. // A^iay > 0, Vadv = v and T^cr/tl = 00, 
protocol pCR/TL satisfies NDl and /VD2'^''/"^'-Q 

Proof. First, we prove NDl (Fig.[2|. Consider a setting S 
and a trace 9 G &g pCR/n _4 such that Neighbor(j4; t; B, C, to) G 
9, where A,B,C G Vcor- Apply p5 and arrive at two cases: 

(1) C = A: according to NDl, we need to prove to :: B^A 

(II) B — A: according to NDl, we need to prove 
(to + {dist{A, C) + nlos{A, C))v-^) :: A^C 

We will consider both simultaneously. In case (I) P5 gives: 

(1) Bcast(^;ti; (B,7ii>) G 6* A 

(2) Fresh(A;ti + |B|;7ii) G 6* A 

(3) Receive(A;t2; (112)) G 6* A 

(4) Receive(A;t3; (/, auths (711, 712, /))) G f A 

(5) v(t2 - ti - A) = 2d{loc{A),l) 

for some 111,712 G Nonces, ti,t3 G R^o,Z G R'^ and t2 — to 
(★). In case (II), if we rename C to B, p5 gives (1) - (5) for 
some 711,712 G Nonces, t2,t3 G R^o,' £ R^ and ti = to (**)• 

We continue by applying Si to (4) to obtain for some 
DeV: 

®We set TpCR/TL = 00 for simplicity: Otherwise, we would 
need to assume a maximum distance between A and B to 
have an upper-bound on the protocol execution time. 



(a) Bcast(D; .; (/, auths(ni, 712, i))) & V 

(b) Dcast(D; .; .; (/, auths (ni, 712, 0)) G 9 

("." in place of start time means that we are not con- 
cerned with the value.) Assuming (b), S4 implies D £ Vkdv 
Apply Ll to obtain Bcast(_B; .; m) for some E £V and m st. 
authB(ni, 712, Z) C m Then p3 gives for some ti £ K^o: 

(6) Bcast(B; .; {I, authB(72i, 712, 0)) G ^' A 

(7) I = loc{B) A 

(8) Receive(B;f4 - A; (B,ni)) G f A 

(9) Bcast(B;t4; (712)) G 61 A 

(10) Fresh(B;t4;n2) G 

The same is obtained under (a) via S4 and p3. 
Apply Si to (3) to get for some F £V: 

(11) [t2,t2 + \n2\]::F^A A 

(Bcast(F;f"; (7i2>) G e V Dcast(F; f"; .; (^2)) G e) 

where t" ^ t2 - {dist(F, A) + nlos{F, A))v''^ . We have 
two cases: (c) F = B and (d) F ^ B. For case (c), given 
(10), Fl implies: 

(c) i^ = B A t4,^t2-{dist(A,B) + nlos{A,B))v''^ 

In case (d), under (10), l2 implies t4 + dist{F, A)^^^^ + 
Aroiay ^ t" ^ t2 — dist{F, A)-v^^ . Usiug V — Vadv aud the 
triangle inequality we derive: 

(d) F ^ B A t4, ^ t2 - dlst{A, B)V-^ - A^olay 

Apply Si to (8) to get for some G e V: 

(12) [U- A,U- A + \{B,m)\]::G^B A 

(Bcast(G; t'"; {B, m)) G 9 V Dcast(G; t'"; .; {B, ni))ee) 

where i'" ^ t4 - A - {dist{G, B) + nlos{G, B))^-'^ . Again, 
there are two cases: (e) G = A and (f) G ^ A. In case (e), 
given (2), Fl implies: 

(e) G = A A t4^ h + {dist{A, B) + nlos[A, B))v'^ + A 

In case (f), given (2), l2 implies ti + \B\-'r dist{A, G)v~j'^ + 
Areiay + = U - A - ldist{G , B) + nlos{G , B))^-^ + 
\B\. After simple transformations using the triangle inequal- 
ity and V = Vadv, and omitting the non-negative nlos: 

(f) G^A A t4^tl + dlst{A, B)V-^ +A + Aroiay 

We now have four possible cases to consider: (c) + (e), 
(c)-f(f), (d)-f(e) and (d) + (f). First, combine (5) and (7) 
to obtain: 

(13) t2 - ti - A = 2dist{A, B)v^^ 

In case (c)-l-(e), after some simple transformations we ob- 
tain t2-ii- A ^ 2{dist{A,B) + nlos{A,B))v'^. Given (13), 
this case is feasible if nlos{A, B) — 0. As F = B, (11) implies 
t2 :: -B— >j4, which is what we needed to prove in case (I) given 
(★). Furthermore, G = A and (12) implies {ti - AwA^B). 
In case (e) i4-A = ti + {dist{A, B) + nlos{A, B))v~^ , which 
given (★★) means that property NDl is also satisfied in case 



(II). Finally, as Aroiay > 0, it is easy to see that the re- 
maining three cases are in contradiction with (13), which 
concludes the proof of NDl. 

We now prove that ND2'"''''^'" holds. Assume that 
NDstan{A-ti- B) G 0. We need to prove 

Ne\ghhor{A-t[;A,B,t')ee A Ne\ghbor{A;t2; B, A,t") £ 9 
for some fi,^ G [ti, 00), t', t" G [ti,ti cr/tlJ . 

First apply Pi to obtain Bcast(j4;ti; {B,ni)) G 0. Next, 
as the link in up, Receive(_B; t2; {B,ni)) £ 8 is implied by 
S2, with t2 — ti + dist(A, B)v~^ (the theorem assumes 
nlos{A,B) = 0). Apply P2 to get Bcast(B;t2 -I- A; (712)) G 
6 and Beast (B; t2 + t; {loc{B),authB{ni,n2, loc{B)))) G 6, 
where r > 0. Use the 'link is up' assumption and S2 to get 
Receive (A; t4; (71,2)) G 6 and 

Receive(A; t^; {loc{B), auth_B(7ii, n2, loc{B)))) G 6, where — 
t2 + A + dist{A,B)\~^ = ti + A + 2dist{A, B)w~^ . As 
v(t4 — fl — A) = 2ciisf(yl, B) we conclude the proof by p4. □ 

5. DISCUSSION 

We introduced a number of abstractions in our frame- 
work, simplifying wireless communications, for the sake of 
modeling and reasoning on secure ND (Sec. 15.1] ). In Sec l5.2l 
we outline here differences between protocols in terms of re- 
quirements and satisfied properties, and sketch open prob- 
lems in Sec. 15.31 

5.1 Abstractions and Simplifications 

Mobility and NLOS Delay. We assume nodes are 
static and NLOS delay constant over time. Otherwise, prop- 
agation delay would vary during the transmission of a mes- 
sage. In some cases, mobility and NLOS delay changes are 
negligible for the ND protocol execution time scale. For 
example, during 100/^s, nodes moving at lOOkmph traverse 
2.7mm, which is below the accuracy of RF ranging systems 
(in the order of centimeters [1]). However, in general, mobil- 
ity can have security implications. To see why, consider the 
pCR/TL pj-otocol. If nodes move during the protocol execu- 
tion, it is important when they estimate their location. At 
the very least, A should estimate its location once when it 
sends the challenge, and again when it receives the response; 
whereas the responding node B should estimate its location 
when it sends the response. But even this might be insuffi- 
cient under high mobility: If A measures its location at the 
beginning of the message, while B measures the ToF at the 
end of the message, there may be space for a stealthy relay 
attack. Introducing mobility and a dynamically changing 
NLOS delay in our model is an interesting direction of our 
future work. 

Medium Access Control and Jamming. For sim- 
plicity, we do not introduce any MAC restrictions into the 
model. Hence, a node is able to simultaneously receive any 
finite number of messages, even though in reality it is lim- 
ited )to one message, or more for CDMA-like technologies). 
We could introduce additional rules that model radio in- 
terference, e.g., set links down if two (or more, depending 
on the node transceiver capabilities) simultaneous transmis- 
sions take place. However, this would not affect any of our 
results. Notably, the availability properties require links to 
be up, but they are agnostic as to why links are up or down. 
Similarly, jamming would not affect our results either: we 
capture jamming with links being down, thus availability 
implies, among other things, no jamming. 

Inaccuracies. We assume correct nodes have accurate 



time and location information. However, in reality, inaccu- 
racies are possible. Regarding time, clocks may be coarse- 
grained, they can drift, especially if the synchronization pro- 
tocol fails, or the node may encounter difficulties in estimat- 
ing message reception times over a noisy channel. Regard- 
ing location, infrastructure (e.g.. Global Positioning System 
(GPS), or base stations) providing location information may 
be temporarily unavailable, or localization algorithms may 
be coarse grained. Some of the inaccuracies can be de- 
creased; For example, averaging ToF over many messages 
decreases estimation errors. But some inaccuracy in time 
and location is unavoidable. 

As secure ND protocols rely on distance estimates, their 
effectiveness can be affected by such inaccuracies. For T- 
protocols, and even more so for TL-protocols, inaccuracies 
hinder availability: they can lead to ToF estimates seem- 
ingly above the threshold for T-protocols, and make the two 
distance estimates diverge for TL-protocols. The only way 
to cope with these is to introduce some tolerance margins 
for measurements. Nonetheless, this would affect correct- 
ness: The higher the tolerance margin, the more space is 
left for fast relay attacks. This manifests the unsurprising 
tension between correctness and availability. Introducing 
inaccuracies explicitly into the framework is an interesting 
component for future work. 

Physical Layer Attacks. The messages considered in 
our framework, albeit at the physical layer, are composed of 
"atomic" components, such as nonces and identifiers, typi- 
cally assumed in formal security frameworks. In [7], Clulow 
et al. pointed out a number of physical layer attacks against 
DB protocols, working at the symbol (or bit) level. In the 
case of external adversaries, as considered in our ND spec- 
ification, the attacks proposed in [7] can result in a (per- 
ceivably) negative Arday This can still be expressed in 
our model, hence our framework (notably the "atomicity" 
assumptions) is not limited with respect to those attacks. 
However, this is not the case for internal adversaries, which 
we discuss in the Open Problems section below. 

5.2 Protocol Comparison 

T-protocoIs versus TL-protocols. TL-protocols are 
less restrictive than T-protocols in term of correctness: They 
do not need the notion of ND range, R, needed by T- 
protocols, and they are secure as long as Areiay > (al- 
ways true, unless th above-discussed inaccuracies and at- 
tacks come into play), while T-protocols require the Areiay 
above Rv~^. In contrast, TL-protocols suffer in terms of 
availability: (i) they require location-aware nodes with se- 
cure location information, a far from trivial requirement, and 
(ii) they do not work for links with non-zero NLOS delay. 
We make a small note here on the nature of NLOS com- 
munication: Although there may be an obstacle between 
two nodes, it can still be possible to calculate the LOS mes- 
sage arrival timeQ This, however, requires special care when 
selecting/designing a wireless receiver. Another practical 
disadvantage of TL-protocols is their requirement that the 
signal propagation speed be v = Vadv (Note: it is reason- 
able to assume Vadv = c, the speed of light); this limits 
TL-protocols to RF and other electromagnetic wave com- 
munications, while T-protocols can be used for lower speed 
technologies such as ultrasound. 

B-protocols versus CR-protocols. B-protocols are 

^If the LOS communication path is blocked by an obstacle. 



conceptually simpler and have less stringent requirements 
for availability, requiring that links be up for shorter periods 
than those needed by CR-protocols. In contrast, B-protocols 
require tightly synchronized clocks, thus being impractical 
for many applications. In terms of correct (secure) oper- 
ation, CRT-protocols require Aroiay, the minimum relaying 
delaye, to be twice as large as that required by BT-protocols 
(for the same R). 

5.3 Open Problems 

We observe that it is impossible to prove the correct- 
ness of the original 1993 distance bounding (DB) proto- 
col by Chaums and Brands [3] either in our framework or 
in the framework by Meadows et al. ^7] that deals with 
DB protocols. First, the Brands-Chaum protocol uses com- 
mitments and an XOR operation; although the XOR op- 
eration is modeled in ^7], it cannot be used as it is in 
the Brands-Chaum protocol. More important, the Brands- 
Chaum protocol includes a rapid-bit-exchange (RBE) phase, 
during which nodes exchange single, fresh bits. This poses a 
problem for the usual modeling of freshness, that is, a mes- 
sage being fresh if it did not previously occur in a trace. 
Obviously, fresh RBE bits will repeatedly occur in a trace, 
as more than two will be exchanged. 

The situation becomes even more interesting if we consider 
internal adversaries, that is, the execution of an ND (or DB) 
protocol with an adversarial node. In general, an attack 
is always possible: An adversarial node can collude with 
another adversarial node that is a neighbor of (is closer to) 
the victim node, and have it execute the ND or DB protocol 
on its behalf [3][17]. However, with additional assumptions, 
for example, that "there is only one adversary node" [3] or 
that "nodes are prohibited to share cryptographic keys" [4]), 
some security guarantees can be claimed. 

Nonetheless, in the presence of internal adversaries, the 
physical layer attacks in Clulow et al. [7] are much more 
significant than in the presence of external adversaries. We 
believe these types of attacks should be represented in any 
framework to prove the security of ND or DB protocols 
against internal adversaries. This would require a shift from 
a model that considers messages to one that considers phys- 
ical communication layer symbols. Interestingly, this re- 
sembles the requirement to properly model the DB RBE. 
But this should not be a big surprise: RBE was introduced 
specifically to deal with internal attackers. The way to de- 
velop these models remains an open question. 

6. RELATED WORK 

The prevalent wormhole prevention mechanism is based 
on distance bounding (DB), which was first proposed by 
Brands and Chaum in [3] to thwart a relay attack between 
two correct nodes, also termed a mafia fraud. Essentially, 
DB estimates the distance between two nodes, with the 
guarantee that it is not smaller from their real distance. 
Subsequent proposals contributed in aspects such as mutual 
authentication [30], efficiency [9], operation in noisy envi- 
ronments |18l 128) . and resistance to execution of the pro- 
file LOS component of the received signal will be attenu- 
ated, and some NLOS components might arrive at the re- 
ceiver with higher power. However, if the earlier-arriving 
LOS component is not too weak, with enough care it can be 
possible to detect it, calculate message reception time and 
the resultant LOS propagation delay. 



tocol with a colluding group of adversarial nodes [4] I27j . 
In the latter, the attack termed terrorist fraud is thwarted 
under the assumption that adversarial nodes do not expose 
their private cryptographic material; if not, one adversarial 
node can undetectably impersonate another and successfully 
stage a terrorist fraud. Authenticated ranging, proposed by 
Capkun and Hubaux in [29] , lifts the technically non-trivial 
requirement of rapid response (present in all the above pro- 
tocols), at the expense of not being resilient to a distance 
fraud, when the protocol is executed with a single, non- 
colluding adversarial node [4]. Finally, two other ND proto- 
cols that rely only on time measurements are the temporal 
packet leashes [15] (recall the V^^^ is essentially a temporal 
packet leash) and TrueLink [8] (neither resistent to the dis- 
tance fraud). The authors of [15] also proposed geographical 
packet leashes, which rely on nodes being location-aware. 
This protocol is quite similar to the TL-protocol introduced 
in |24) . But we emphasize the difference: the latter protocol 
requires clock synchronization as tight as that for temporal 
packet leashes, making it essentially a combination of tem- 
poral and geographical leashes, thus achieving secure ND in 
an environment with obstacles. 

A number of other secure ND schemes is proposed in the 
literature. Most of them rely on other wireless nodes or in- 
frastructure, which may be (sometimes) unavailable, e.g., in 
WLAN or RFID systems. The approach of Poovendran and 
Lazes [23] relies on trusted, location-aware nodes (guards) 
to bootstrap ND. Hu and Evans have proposed a ND scheme 
utilizing properties of directional antennas in [14]. In [16| . 
Maheshwairi et al. propose to use fc-hop connectivity infor- 
mation obtained with a non-secure ND mechanism, and to 
inspect it for forbidden structures. Buttyan et al. also pro- 
pose to use statistic of the connectivity graph, leading to a 
centralized framework, in [5]. Another centralized approach 
by Wang et al. [31] uses approximate distance measurements 
to visualize the network and enable a human operator to 
detect a wormhole attack. Finally, Rasmussen and Capkun 
propose to use RF fingerprinting for secure ND [26]. Al- 
though this is a promising approach, it needs more practical 
investigation, notably about the feasibility of RF fingerprint 
forging. 

The relay attack has been investigated in some recent 
works. One example is [10], where Hancke demonstrates a 
relay attack using only off-the-shelf hardware components, 
with a delay of around 20/iS. In [27] Reid et al. discuss using 
more sophisticated microwave repeaters to achieve nanosec- 
ond level relaying delays. We also refer an interested reader 
to a more theoretical work on relay (and other) physical layer 
attacks on DB by Clulow et al. [3, with a practical follow-up 
in [11] , implementing some of these attacks against two com- 
mercial radio receivers used in RFID and sensor networks. 

Recently, there has been a rising interest in formalizing 
analysis of security protocols in wireless networks. We men- 
tion works focusing on the security of routing [191 [2] 1201 132] , 
local area networking [13] , or broadcast authentication [12] . 
Closer to our work, the problem of DB has been treated for- 
mally in [17] by Meadows et al. Their paper is concerned 
with distance estimation rather than ND, but more impor- 
tantly, the approach is different. The authors of [17] build 
on top of existing formal approaches [6] [22] tailored for "clas- 
sical" security protocols, and augments it with a notion of 
distance based on time-stamps. However, it is not clear how 
neighborhood would be defined in this framework, nor how 



to model a protocol that uses location information, such as 
pCR/TL^ Beyond this, an interesting characteristic of their 
approach is that there is no explicit notion of an adversary. 
On the contrary, our approach starts with an explicit model 
of a wireless environment, including node location, state of 
wireless links, and an explicit adversary, controlling a num- 
ber of nodes in the network. A potential advantage of this, 
although not shown in this paper, is that attack scenarios 
can be expressed in our model, whereas in [17] a collusion 
attack is described in an informal manner. 

7. CONCLUSIONS 

In this paper, we investigate how to analyze and design 
provably secure ND protocols, building on top of the frame- 
work introduced in [24]. We contribute a number of exten- 
sions that enable us to model and reason about more elab- 
orate ND protocols (CR-protocols) than those previously 
considered (B-protocols). Basically, our revised framework 
(i) models additional practical aspects of wireless communi- 
cations, (ii) caters to the co-existence and interoperability 
of secure ND protocols with other wireless security proto- 
cols, and (iii) focuses more than our work in [24] on sought 
properties that are of practical relevance, in particular, per- 
taining to the ND protocol availability. 

We see this work as a step towards provably secure neigh- 
bor discovery. We outline a number of possible extensions 
to our framework, and open problems in the Discussion sec- 
tion. Among those, the seemingly most interesting one is 
to reason on secure ND protocols in the presence of internal 
adversaries. The nature of protocols that could deal with 
this type of adversarial behavior, as well as some recently 
discovered attacks [7], mandate, in our opinion, a shift from 
message-oriented to models that explicitly consider symbols 
at the physical communication layer. 
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